Pentagon Leak Case Shows that Insider Threats Remain a Prominent Risk

Chris McGowan
Author: Chris McGowan
Date Published: 25 April 2023
Related: Assessing IoT | Digital | English

A member of the Massachusetts Air National Guard was arrested by the FBI on Thursday, 13 April 2023, in connection with the leaking of above top secret and classified documents that have been posted online, US Attorney General Merrick Garland announced. Sadly, the latest leak rocking the US intelligence world is not the first time classified documents have made their way into the public eye. In 2013, Edward Snowden leaked a tranche of intelligence documents to the Guardian and the Washington Post; in 2010, Chelsea Manning, then a soldier and analyst in the US Army, began sharing thousands of classified documents with Wikileaks; and in 2017, a former Air Force member and NSA translator, Reality Winner, was arrested and charged for providing a classified report to news website The Intercept.

For those outside of the US intelligence community, top secret classification is reserved for information where unauthorized disclosure could reasonably be expected to cause exceptionally grave damage to national security. Now, once again, an insider is responsible for reputational damage and further eroding trust with allies. No organization, regardless of sector, is immune. Unlike outsiders, insider threats have ready access to physical, technical, operational and personnel vulnerabilities. Insiders have inherent knowledge about where enterprise value lies. If they want to cause harm, steal information, etc., they have an advantage in knowing exactly how to do it and an easier time executing their actions. More concerning is that even well-meaning insiders can unintentionally cause significant harm due to their access.

A multitude of factors contributed to recent motivations behind various insider threat incidents, with monetary gain leading the pack at a significant 59 percent. However, as illustrated by the incident this month involving the US Air National Guardsman, these incidents cannot always be explained by financial motivations. Other drivers were not far behind in the survey, with reputation damage at 50 percent, theft of intellectual property at 48 percent and fraud at 46 percent. These statistics highlight the diverse range of motivations that insiders may have for engaging in malicious activities that pose a significant risk to organizations. As noted in the ISACA White Paper “A Holistic Approach to Mitigating Harm from Insider Threats,” malicious insider threats are clear in their intent. They want to cause harm or potentially just gain benefits without regard to the impact on an enterprise.

One of the challenges in dealing with malignant insider threats is identifying them before they can do significant damage. This requires a combination of strong security policies, regular monitoring of systems and networks, and training and awareness programs for employees to help them recognize and report suspicious behavior.

Malicious insider threats pose a significant security risk to organizations, as they involve people who intentionally seek to cause harm or gain personal benefits at the expense of their employer. Unlike malignant insider threats, which may arise from innocent mistakes or negligence, malicious insiders are clear in their intent and often take deliberate actions to compromise the security of the organization.

In May of 2022, a research scientist at Yahoo named Qian Sang stole proprietary information about Yahoo’s AdLearn product minutes after receiving a job offer from The Trade Desk, a competitor. He downloaded approximately 570,000 pages of Yahoo’s intellectual property (IP) to his personal devices, knowing that the information could benefit him in his new job. Yahoo claims that Sang’s actions divested it of the exclusive control of its trade secrets, information that would give competitors an immense advantage.

A challenge in dealing with malicious insider threats is detecting them before they can cause significant harm. This requires a combination of technical controls, such as monitoring of systems and networks for suspicious activity, and behavioral controls, such as regular training and awareness programs for employees to help them recognize and report suspicious behavior. It is important to ensure that special consideration is given to classified or sensitive information—for example, logs for systems storing classified information may be subject to more scrutiny than other systems. And while monitoring plays a significant role in protecting an enterprise, monitoring should not be excessive and should not infringe upon employees’ privacy. Employees may have privacy-related rights depending on where they reside; for example, the California Privacy Rights Act gives employees certain rights, so employee monitoring must be compliant with applicable laws and regulations. And regardless of regulatory requirements, clearly communicating what is monitored and why can help build trust between employers and employees.

Proactive approach needed

Insider threats can pose a significant risk to the security of an organization, whether it is intentional or accidental. Organizations need to implement proper security measures and policies to mitigate the risk of insider threats. By taking a proactive approach to address the insider threat, organizations can better protect themselves from potential damage caused by these types of security incidents.

To learn more about insider threats and ways to mitigate, download ISACA’s insider threat whitepaper titled, A Holistic Approach to Mitigating Harm from Insider Threats.

About the author: Chris McGowan is the principal of information security professional practices on the ISACA Content Development and Services team. In this role, he leads information security thought leadership initiatives relevant to ISACA’s constituents. McGowan is a highly accomplished US Navy veteran with nearly 23 years of experience spanning multidisciplinary security and cyberoperations.